1. Field of the Invention
The present invention relates generally to networking. More particularly, the present invention pertains to access security for networks.
2. Description of the Background Art
Local area networks (LANs) of various types that are IEEE 802 compliant may be connected together with media access control (MAC) bridges. The IEEE 802.1Q standard defines the operation of virtual LANs (VLANs) within a bridged LAN infrastructure.
Under IEEE 802.1Q, VLANs are not restricted to a single switch. Such VLANs can span many switches (and may even span across a wide area network). A tag field with a VLAN identifier (VLAN ID or VID) is included with the data frame. The tag with VID serves to communicate the VLAN membership information between switches. Within IEEE 802.1Q, the VID can range from 1 to 4094.
A switch port which is IEEE 802.1Q compliant may be configured to transmit tagged frames to other IEEE 802.1Q-compliant devices (such as, for example, other IEEE 802.1Q-compliant switches), or it may be configured to transmit untagged frames to devices that are non-IEEE 802.1Q-compliant (such as, for example, typical network interface cards for printers or computers). A non-IEEE 802.1Q-compliant device that receives a tagged frame will not comprehend the VLAN tag and will typically drop the frame. Hence, a port should be configured to send untagged frames if non-IEEE 802.1Q-compliant devices are attached to the port.
FIG. 1 is a schematic diagram illustrating a conventional IEEE 802.1Q-compliant switch 100 with ports configured as members of various VLANs. The switch 100 includes a switching section 102, a plurality of switch ports 104, a switch operating system (OS) 106, and a switch configuration file 108.
The switching section 102 is coupled to each of the ports 104. The switching section may include, for example, a crossbar switch or other circuitry, and makes connections between the ports 104 so that frames can be transferred from one port to another port.
Eight switch ports 104 are shown in this example. The ports 104 are shown as numbered, for example, as #1, #2, #3, #4, #5, #6, #7, and #8. Under IEEE 802.1Q, each port may be assigned untagged membership in one VLAN. More specifically, there is an ingress list and an egress list of VLANs. The ingress list helps determine how to classify frames onto VLANs when they are received. The egress list determines the format (tagged or untagged) the frames will have when transmitted. It is possible to have many untagged VLANs on the egress list in untagged format, but typically in ingress, there is only a single untagged VLAN. In other words, as far as the ingress list is concerned, typically a port 104 may be an untagged member of only one VLAN, but it may be a tagged member of more than one VLAN. Even if a port 104 is not an untagged member of any VLAN, it may still be a tagged member of one or more VLANs and pass along frames with those VLAN tags.
The untagged membership of each port 104 in FIG. 1 is indicated by a Port VLAN ID or PVID. In the example illustrated in FIG. 1: port #1 has been configured with PVID 2; port #2 has been configured with PVID 1; port #3 has been configured with PVID 2; port #4 has been configured with PVID 3; port #5 has been configured with PVID 2; port #6 has been configured with PVID 1; port #7 has been configured with PVID 2; and port #8 has been configured with PVID 1. In other words, ports # 2, #6, and #8 are untagged members of the VLAN having VID 1. Ports #3, #5, and #7 are untagged members of the VLAN having VID 2. Port #4 is an untagged member of the VLAN having VID 3. Port #1 is not an untagged member of any VLAN.
In the example illustrated, port #1 is coupled to another switch that is 802.1Q compliant. As such, the other switch can receive and decode frames with VLAN tags. Such tagged frames may be sent via port #1 to the other switch. For example, port #1 may be a tagged member of the VLAN with VID 3. For example, if port #2 of the switch 100 received a broadcast data frame tagged with VID 3, that tagged data frame would then be transmitted via port #1 to the other switch. In addition, an untagged version of the data frame would be broadcast via port #4.
The switch OS 106 includes software routines used to control the operation of the switch 100. The switch configuration file 108 includes configuration information utilized by the switch OS 106. For example, the switch configuration file 108 may include the untagged and tagged VLAN membership data for each port 104 of the switch 100.
FIG. 2 is a flow chart depicting a conventional method 200 for responding to a new client at a port when the port is under the control of the IEEE 802.1X port access control scheme. For purposes of discussion, consider the new client to be accessing the network via switch port #7 of the switch 100 in FIG. 1. The new client is detected 202 by the port. For example, the new client may be a laptop computer of a university student, and the student may be trying to access a network in a teaching laboratory at the university. In this example, the laboratory network utilizes an implementation of the IEEE 802.1X protocol to authenticate student computers before allowing the computers access to the network.
IEEE 802.1X is an example of a network access server (NAS) protocol. IEEE 802.1X runs at layer 2 of the OSI networking model, and so IEEE 802.1X may be completed prior to a client obtaining an internet protocol (IP) address (which is a layer 3 type address). Under IEEE 802.1X, an authentication session may utilize, for example, the Radius protocol between an authentication server and supplicant software at the new client.
A branch in the process 200 occurs depending on whether or not 204 the new client has the resources present to enable an authentication session. For example, the branch would occur depending on whether or not the student's computer has IEEE 802.1X-compliant supplicant software.
Let's first consider the situation where the situation where the new client does have the resources to enable the authentication session (the Y or Yes branch from 204). For example, the student's computer has the IEEE 802.1X supplicant software already installed. In this situation, an authentication session occurs 208 with the new client in order to authenticate the new client. The authentication may involve, for example, checking the new client against a secure database of authorized users. If the new client does not pass authentication, then access by the new client to the network would be denied 206. If the new client passes the authentication, then access via the switch port 104 would be granted 212 to the new client. In our example, if access was via port #7 of FIG. 1, then the new client would be able to receive untagged frames on the VLAN with VID 2.
However, now consider the situation where the student's computer does no have IEEE 802.1X supplicant software currently on it. In other words, the new client does not yet have installed the resources needed to enable the authentication session (the N or No branch from 204). For instance, IEEE 802.1X software is included in Microsoft Windows XP, but not in prior versions of Windows. Hence, a laptop running one of the prior versions would not have the IEEE 802.1X supplicant installed as part of the operating system. In this situation, since the authentication session is not enabled, access is simply denied 206. This result is undesirable because the new client may be “friendly” (for example, it may be a properly registered student with an older Windows operating system on her laptop). In other words, if the new client had the proper resources, then authentication may have been completed. However, due to a lack of the resources, the authentication session was not enabled to be performed. In another example, the new client may have the supplicant software installed, but it may not yet have a valid account.
The above-described problems and disadvantages may be overcome by utilizing embodiments of the present invention.